Configuring the VyOS VPN Instance on GCP

To configure the VyOS VPN Instance on GCP:

As part of the PoC script that is run, the  VM instance of a Velostrata VYOS VPN Gateway is created with its Serial console option enabled.

Also, The Velostrata VYOS VPN Gateway in GCP is assigned with FW Tag - 'fw-vpn', allowing inbound connectivity for the OpenVPN tunnel using port UDP/1194, as well as to allow SSH to the private IP address from the source on-premises environment (the outbound public IP configured during the deployment script execution).    

  1. Open the google cloud console, and locate the velosvpngateway instance.
  2. Connect to the VM serial console - under "remote access" click "connect to serial console". use the following credentials:

User: vyos, Password: vyos

  1. Change the Velos VPN Gateway default password by entering the following command:
set system login user vyos authentication plaintext-password ‘password’
  1. Delete all existing route table entries
  1. To view current route table entries, enter the following command, and document the VM's default gateway IP:
sudo ip route show
  1. Delete all existing route table entries:
sudo ip route delete
sudo ip route delete

Using the nano editor and using the sudo - edit the config file 'vyatta-postconfig-bootup.script' placed under /opt/vyatta/etc/config/scripts/

for example: 

sudo nano -w /opt/vyatta/etc/config/scripts/vyatta-postconfig-bootup.script

Add the following lines to it (replace defaultGatewayIp with the public subnet gateway IP for the VPC, for example

ip route add 'defaultGatewayIp' dev eth0
ip route append default via 'defaultGatewayIp'

save by clicking Ctrl+X -> Save -> Exit

  1. Reboot.
  1. Upgrade the VyOS image using the following command, Accept all defaults and when finished - Reboot.
add system image

   9. Change MTU value for eth0.

set interfaces ethernet eth0 mtu 1460
  1. Next, we will need to copy the shared secret key file obtained previously from the VyOS virtual appliance on-prem to the velosvpngw appliance. 

replace the VyosNewPass with the new password you have configured for the cloud appliance and the IP of the appliance

pscp -pw VyosNewPass secret vyos@xx.xx.xx.xx:/config/auth

  11. Using PuTTY or the Serial console, connect to the VyOS instance on GCP to proceed with its configuration.

  12. Configure source based NAT for the private subnet network. The VyOS instance will function as a NAT gateway, enabling private subnet instances to access the Internet.

set nat source rule 100 outbound-interface 'eth0'
set nat source rule 100 translation address masquerade 
  1. Setup the VPN tunnel using OpenVPN.
set interfaces openvpn vtun0 local-address
set interfaces openvpn vtun0 mode site-to-site
set interfaces openvpn vtun0 protocol udp
set interfaces openvpn vtun0 openvpn-option --comp-lzo
set interfaces openvpn vtun0 keep-alive interval 10
set interfaces openvpn vtun0 keep-alive failure-count 5
set interfaces openvpn vtun0 remote-address
set interfaces openvpn vtun0 shared-secret-key-file /config/auth/secret
  1.  Set a static route to direct workloads traffic from the private subnet to the corporate network. replace the below with the on-premises network subnet
set protocols static route next-hop
  1. Commit and save the configuration.
  1. Verify that the VPN tunnel has been established.
show openvpn site-to-site status